How hyperledger fabric chaincode signing and installation works?

1
votes

In a hyperledger fabric setup, various organizations that take part in network need to execute chaincode (assuming every org has an endorser). My question is around signing of the chaincode to prevent tampering. I see any peer can create a signedCDS using (just for example)

peer chaincode package -n mycc -p github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02 -v 0 -s -S -i "AND('OrgA.admin')" ccpack.out

Now, my question is 1. How do we specify that chaincode should be signed by required number of owners, I don't see any argument where I can specify the owners? 2. How I can validate if a chaincode has been signed by owners, that is verification by looking at CDS? 3. How can we ensure if every owner has deployed the actual signed version and not tampered with chaincode?

Thanks

2
hyperledger-fabrichyperledger

2 Answers

0
votes

The -S option directs the process to sign the package using the MSP identified by the value of the localMspid property in your file .yaml.

The ChaincodeDeploymentSpec may be optionally be signed by the collective owners to create a SignedChaincodeDeploymentSpec (or SignedCDS). The SignedCDS contains 3 elements:

The CDS contains the source code, the name, and version of the chaincode. An instantiation policy of the chaincode, expressed as endorsement policies. The list of chaincode owners, defined by means of Endorsement. see: https://hyperledger-fabric.readthedocs.io/en/stable/chaincode4noah.html

0
votes

Chaincode package signing has a bit different purposes than you assume. Let's imagine that you are the main channel admin, and in your channel there is 50 organizations. Only you can perform chaincode updates, however two organizations are very important, and you are not permitted to make any changes unless they approve them. To ensure that this condition is met, you prepare a new chaincode package, where you set yourself as the only entity, that can instantiate it:

peer chaincode package -n mycc -p github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02 -v 0 -s -S -i "AND('OrgA.admin')" ccpack.out

You send this package to those two organizations that have to accept it. After a week you get them back signed. You MANUALLY ensure, that the signature is correct, and package was not tampered (if it was you could immediately see it, as you had signed the package before sending it). Signing them is also a signal for you, that those organizations have already installed the chaincode on their endorsing peers, and they are ready for instantiation. After ensuring, that everything is fine, you instantiate the chaincode.